It is only in the past several years that banks and mortgage lenders have faced heightened risk from wire fraud losses. In this time period lenders have been forced to uncover and defend the wide-spread use of various cyber schemes, including basic phishing using mass-market emails, spear phishing, using cyber intrusion tactics to go after specific targets, whaling, using email schemes to target key owners and managers (C-level employees), or business email compromise (BEC), where intruders pretend to be the CEO or CFO.
These schemes all have one purpose: to disrupt operations by gaining access to internal communications and data, with the intention of causing financial harm.
Due to the relatively uncontrolled nature of communications surrounding the closing of mortgage loans, where many different parties come together to close a transaction, the ability of cyber criminals to infiltrate and cause havoc is a continued threat. It is very difficult for lenders to manage the security of information and data being transferred among so many varied parties: the borrower, seller’s attorney, settlement agent, real estate agent, and others, such as property inspectors and appraisers.
Best practices, which are required by financial regulators and by some state data privacy and security statutes (i.e. New York and California come to mind) should include:
- Ensuring all employees use encrypted email tools when transmitting confidential borrower and transaction data;
- Prohibiting employees (many of whom are no working from home) from using personal emails and from storing lender and borrower data and documents on unprotected local servers;
- Requiring sterile home work environments, protecting sensitive consumer and financial information from the prying eyes of anyone without a need to access such information, including family members, neighbors and guests;
- Training employees inidentifying email phishing schemes, especially whaling schemes, so that they do not inadvertently allow bad actors in through the “front door;”
- Educating consumers about phishing schemes and how they may impact their transaction, especially through attacks on their personal email accounts;
- Insisting that all transaction partners verify any wire instructions and adopt a red flag policy whenever wire instructions change abruptly in the midst of a transaction;
- Adopting password protection policies that require all employees to change access passwords to all systems on a regular basis;
- Conducting (or outsourcing) system security checks, including penetration checks to expose any weaknesses and vulnerabilities in your technology systems; and
- Employing a robust vendor management risk assessment and monitoring program to make sure that outsiders whom you allow to access your consumer and financial data (a) are who they say they are, (b) are low risk actors, (c) employ their own internal controls managing their employees and systems, and where they are receiving proceeds (d) have verified trust accounts.
At Secure Insight we were the first company to specifically address fraud surrounding the closing transaction as it impacts consumers and lenders. We built the first ever database of professionals that addressed entity and individual risk, and the first process to verify trust accounts directly at the source. In ten years and after millions of successful closing transactions we offer a reliable SaaS solution to helping you fight mortgage and cyber fraud. For more information visit http://www.secureinsight.com.
Secure Insight Mortgage Industry Blog 